Ever since RSA Security's executive chairman Art Coviello disclosed
on March 17 that attackers had successfully breached the companys networks and
stolen information related to the company's SecurID two-factor authentication
technology, customers have been worried about the security of their SecurID
deployments.

"Those hardware tokens have no upgrade path and would have
to be replaced," said Bruce Schneier, chief security technology officer at
British Telecom. If customers feel that SecurID is compromised, they are likely
to replace them with competing products, he said on his Schneier on Security
blog.

CA Technologies made its move with a limited-time swap
program that allows RSA customers to receive three-year enterprise licenses for
CA ArcotID secure software credentials for every RSA SecurID tokens traded in. Customers
will also receive the CA Arcot WebFort authentication server, CA announced on
March 29. The program will run till Sept. 30.

Assuming that the attackers stole the seed values used to
generate the one-time passwords on the SecurID tokens, a number of security
experts have speculated that RSA customers will need to replace all deployed
hardware tokens to prevent attackers from using the seed values to break in to
secure networks.

CA's offer may seem pretty attractive to RSA customers, as
the company promised the only cost to the making the switch was on-going
maintenance. In contrast, replacing these tokens with new ones from RSA could
be an expensive proposition for customers.

"The difficulty of remediation in case of a hardware token
breach can be overwhelming," said Ram Varadarajan, general manager for CA Arcot
Security Solutions at CA Technologies. He noted that a compromise in a hardware
token requires the company to deploy a new token, which could be costly,
time-consuming and inefficient.

The CA ArcotID software credential can be easily and
securely downloaded using "cryptographic camouflage technology," CA said. In the
event of a security breach, organizations would be able to reset the
credentials immediately and users would just self-provision a new private key
on their next logon, according to the company.

With CA ArcotID technology, each organization creates, manages
and stores its own private keys for all its own users. Since CA Technologies
holds no information about individual credentials, there's no chance of the
company compromising customer data, CA said.

CA ArcotID works across multiple applications and environments
and IT departments have the option to store the actual credentials on a client
device, such as a PC, laptop, tablet or smartphone, CA said. With an
increasingly mobile workforce, expecting employees to carry an additional key
fob or device was "not practical," according to Varadarajan.

"Hardware tokens are a security mechanism whose time has
expired," Varadarajan said.

The potential gain for CA is pretty significant. The company
claims nearly 30 million users for CA ArcotID. Contrast that with SecurID,
which is used by over 25,000 customers including large enterprises, financial
institutions, and government agencies. An estimated 40 million SecureID
physical tokens and 250 million software-based tokens have been deployed.